apache log files are user-readable
With SuSE 6.3, apache creates its logfiles in /var/log with permissions 644, which is not really on. Access logs shouldn't be available to all users, at least not by default. Add this to /etc/permissons.local and run chkstat -set /etc/permissions.local # apache #Change the www for http.conf to root if you haven't created a www group. /etc/local/httpd.conf root.www 640 /var/log/httpd.access_log root.root 600 /var/log/httpd.error_log root.root 600 Volker
On Sat, 15 Apr 2000, Volker Kuhlmann wrote:
644, which is not really on. Access logs shouldn't be available to all users, at least not by default.
Why not? Users can create WEB-pages, so these files are often usefull to debug problems. If you want to create access statistics, (for example with webalizer) you need to read httpd.access too. I don't see any security hole... (please let me know, if you really find one) Cheers, Peter -- Peter Münster http://gmv.spm.univ-rennes1.fr/~peter/
On 15 Apr 2000, at 10:15, Peter Münster wrote:
If you want to create access statistics, (for example with webalizer) you need to read httpd.access too. I don't see any security hole... (please let me know, if you really find one) Cheers, Peter
Hi, when using webalizer one will very likely create a special user the webalizer scripts are run under. The log files are not kept in a place *any* user has access to, just the statistics can be accessed by the individuals (like having the logs in /var/log/httpd/username and the statistics at ~home/stats). To give access to log files may or may not be security relevant (in your envirenment) in others it may well be. Be also aware that some countries have very strict privacy protection laws that oblige you to take care no unauthorized person has such access to log files, some laws even forbid such access to the user, other laws do not allow the existence of such logfiles at all. mike
participants (3)
-
Peter Münster -
Thomas Michael Wanka -
Volker Kuhlmann